Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
3.3 KiB
package, version, tier, decision, date, deciders, adr, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @sentry/node | ^10.51.0 | core | approved | 2026-05-14 |
|
adr-014 |
|
|
Filter: license
npm view @sentry/node license returns MIT. MIT is on the allowlist.
Filter: types
@sentry/node is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/ package is needed.
Filter: maintenance
Actively maintained by Sentry Inc. The 10.x line is the current major. Regular releases track Node.js LTS versions and fix security issues promptly.
Filter: boundary-fit
ADR-014 designates Sentry as the error-capture and tracing backend for Node.js server processes. @sentry/node is an optional peer dependency of core-shared — it is consumed exclusively within core-shared/instrumentation/sentry/init-server-node.ts and the CMS app's instrumentation.ts. Feature packages MUST NOT import @sentry/node directly (ESLint no-restricted-imports, ADR-014 §6).
Filter: shadow-check
@sentry/node is the sole Node.js server error-monitoring SDK in the workspace. No competing APM agent or crash reporter is present.
Filter: eu-residency
Sentry offers EU-region data residency (de.sentry.io). The CMS_SENTRY_DSN environment variable can point to an EU-hosted project; all payloads route to the DSN host. PII scrubbing at the OTel processor layer (ADR-017, ADR-014 §4) ensures only scrubbed data is exported.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against @sentry/node at the time of this trace.
Filter: named-consumer
packages/core-shared lists @sentry/node as an optional peer dependency. apps/cms/src/instrumentation.ts is the concrete consumer, initializing the Node SDK for the Payload CMS process. A named, non-hypothetical consumer exists today.
Prompt: replaces
No prior server-side error monitoring was in place for the CMS process. @sentry/node replaces unstructured console.error calls that left CMS mutation failures undetected in production.
Prompt: migration-cost-out
Low. @sentry/node is used only in core-shared/instrumentation/sentry/init-server-node.ts and the CMS app's instrumentation.ts. The interface boundary (ADR-014 §1) means no feature package references it. Replacement requires swapping the initialization file and updating the CMS_SENTRY_DSN env var.
Prompt: alternatives-considered
@sentry/nextjsfor CMS — Rejected: the Payload CMS process is a plain Node server, not a Next.js app.@sentry/nodeis the correct SDK for non-Next processes.- OpenTelemetry OTLP exporter only — Considered but deferred; Sentry's session grouping and alert routing add value beyond raw OTLP. The bridge via
@sentry/opentelemetrypreserves OTel portability.
See ADR-014 for the full decision rationale.